Re: [Declude.JunkMail] Copy To

[Matt]

serge wrote:

  
  
  
  
  thanks matt
  let me see if i finally understand
this
  To and CC are in the headers but not
BCC
  the recepient can be either in To,
CC, or BCC, and therefore may nit be in the header
  when you say address used in smtp
connection, you mean the recepient address, which is what we find in
the Q.smd (called envelop??)
  Am i correct so far ?


Yes.


  Finnaly, can we use ALLRECIPS and REALRECIPS in filters ?

Yes


   than, to answer the original
question, we can have a filter test  "Monitor" with 
  REALRECIPS 0 Contains [EMAIL PROTECTED]
   
  and an action
   
  MONITOR    copyto monitoracc 

Yes, however it would be generally recommended to use ALLRECIPS unless
you have a specific need to use REALRECIPS.  REALRECIPS might not match
the addresses contained in the Q file if those addresses are aliased or
forwarded to others.  That is of course if I understand it correctly
(it might do both, but not according to the way the documentation is
written).

Matt
-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] Copy To

[serge]

thanks matt
let me see if i finally understand 
this
To and CC are in the headers but not 
BCC
the recepient can be either in To, CC, or BCC, and 
therefore may nit be in the header
when you say address used in smtp connection, you 
mean the recepient address, which is what we find in the Q.smd (called 
envelop??)
Am i correct so far ?
 
Finnaly, can we use ALLRECIPS and REALRECIPS in filters ?
 
than, to answer the original question, we can have 
a filter test  "Monitor" with 
REALRECIPS 0 Contains [EMAIL PROTECTED]
 
and an action
 
MONITOR    copyto 
monitoracc
 
 
 
 

  - Original Message - 
  From: 
  Matt 
  To: [EMAIL PROTECTED] 
  
  Sent: Friday, July 23, 2004 5:13 AM
  Subject: Re: [Declude.JunkMail] Copy 
  To
  Serge,The headers will only contain To and CC 
  addresses, and with spam the RCPT To is often different.  If you want to 
  test the To and CC addresses then you should use a HEADERS search.  If 
  you want to test the RCPT To addresses which are used during the SMTP 
  connection, you would use either ALLRECIPS (which tests the actual RCPT To 
  addresses) or REALRECIPS (which tests the addresses even if indirect, i.e. 
  aliased).Mattserge wrote:
  are there no way to set a junkmail filter to test for receipients ?
Something like
headers 0 contains [EMAIL PROTECTED]

TIA



- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Jeff Kratka" <[EMAIL PROTECTED]>
Sent: Thursday, July 22, 2004 6:59 PM
Subject: Re: [Declude.JunkMail] Copy To


  
On Thursday, July 22, 2004, 2:29:39 PM, Jeff wrote:

JK>  I would like to monitor both incoming and outgoing mail from 1
particular
  
JK> e-mail address on my domain. What would be the easiest/simplest way of
doing
  
JK> it without the persons knowledge.

Use the 'copy mail to' feature in IMail and then filter the contents.
The feature will send all mail to that accout, so be sure you have
appropriate filtering in place before you go this route.

This should be the simplest way.

_M


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
  
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  -- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] Copy To

[Matt]

Serge,

The headers will only contain To and CC addresses, and with spam the
RCPT To is often different.  If you want to test the To and CC
addresses then you should use a HEADERS search.  If you want to test
the RCPT To addresses which are used during the SMTP connection, you
would use either ALLRECIPS (which tests the actual RCPT To addresses)
or REALRECIPS (which tests the addresses even if indirect, i.e.
aliased).

Matt



serge wrote:

  are there no way to set a junkmail filter to test for receipients ?
Something like
headers 0 contains [EMAIL PROTECTED]

TIA



- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Jeff Kratka" <[EMAIL PROTECTED]>
Sent: Thursday, July 22, 2004 6:59 PM
Subject: Re: [Declude.JunkMail] Copy To


  
  
On Thursday, July 22, 2004, 2:29:39 PM, Jeff wrote:

JK>  I would like to monitor both incoming and outgoing mail from 1

  
  particular
  
  
JK> e-mail address on my domain. What would be the easiest/simplest way of

  
  doing
  
  
JK> it without the persons knowledge.

Use the 'copy mail to' feature in IMail and then filter the contents.
The feature will send all mail to that accout, so be sure you have
appropriate filtering in place before you go this route.

This should be the simplest way.

_M


---
[This E-mail was scanned for viruses by Declude Virus

  
  (http://www.declude.com)]
  
  
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  
  
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] Copy To

[serge]

are there no way to set a junkmail filter to test for receipients ?
Something like
headers 0 contains [EMAIL PROTECTED]

TIA



- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Jeff Kratka" <[EMAIL PROTECTED]>
Sent: Thursday, July 22, 2004 6:59 PM
Subject: Re: [Declude.JunkMail] Copy To


> On Thursday, July 22, 2004, 2:29:39 PM, Jeff wrote:
>
> JK>  I would like to monitor both incoming and outgoing mail from 1
particular
> JK> e-mail address on my domain. What would be the easiest/simplest way of
doing
> JK> it without the persons knowledge.
>
> Use the 'copy mail to' feature in IMail and then filter the contents.
> The feature will send all mail to that accout, so be sure you have
> appropriate filtering in place before you go this route.
>
> This should be the simplest way.
>
> _M
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Declude reporting wrong IP... why?

[Joe Wolf]

Scott...

HOP is "0", no HOPHIGH.  IPBYPASS 192.168.1.50 which is my backup spooler.

Complete "Received:" headers below:

Received: from smtp.fidnet.com [216.229.64.74] by mail.csimo.com
  (SMTPD32-8.12) id AD2B20D0070; Thu, 22 Jul 2004 16:10:03 -0500
Received: (qmail 13061 invoked by uid 20954); 22 Jul 2004 21:09:57 -
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 13057 invoked from network); 22 Jul 2004 21:09:57 -
Received: from exprod6mx94.postini.com (HELO psmtp.com) (12.158.36.78)
  by smtp.fidnet.com with SMTP; 22 Jul 2004 21:09:57 -
Received: from source ([216.229.87.4]) by exprod6mx94.postini.com
([12.158.35.251]) with SMTP;
 Thu, 22 Jul 2004 16:09:56 CDT
Received: from office [192.168.1.177] by mail.csimo.com
  (SMTPD32-8.12) id AD281C400BE; Thu, 22 Jul 2004 16:10:00 -0500

I'm not running the current version of Declude (don't have a service
agreement).

Thanks for your help!

-Joe


- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 22, 2004 5:09 PM
Subject: Re: [Declude.JunkMail] Declude reporting wrong IP... why?


>
> >I've had a couple of reports that my messages were failing SPF.  I sent a
> >message to myself via a loop and am totally confused at the message
header.
> >
> >The message was actually sent from my computer on private IP
192.168.1.177
> >to my IMail server at 216.229.87.4.  For some reason Declude reports that
> >I sent the message from 216.229.64.74.  That IP is one of our IP's, but
> >not at this location and the message never touched that subnet.
>
> What are your HOP, HOPHIGH, and IPBYPASS settings?
>
> >Top part of message header shows correct information:
> >
> >Received: from source ([216.229.87.4]) by exprod6mx94.postini.com
> >([12.158.35.251]) with SMTP;
> >  Thu, 22 Jul 2004 16:09:56 CDT
> >Received: from office [192.168.1.177] by mail.csimo.com
> >   (SMTPD32-8.12) id AD281C400BE; Thu, 22 Jul 2004 16:10:00 -0500
>
> Are there any further Received: headers are there?
>
> >  X-Declude-Sender: [EMAIL PROTECTED] [216.229.64.74]
> >X-Note: This message was sent from 216-229-64-74-empty.fidnet.com
> >([216.229.64.74]).
>
> Does the IP 216.229.64.74 appear anywhere in the headers?
>
> What version of Declude JunkMail are you running?
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> since 2000.
> Declude Virus: Ultra reliable virus detection and the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Message header review

[Matt]

I just tried to do a telnet session with this server and it requires
SMTP AUTH.  My feeling here is that there are enough Earthlink
customers out there that someone could quite easily generate lists of
hundreds of valid usernames and passwords from an AUTH attack on a
server such as this, and that this is what they have done.  Your mail
headers and the ones that I have seen show clearly that spam zombies
are sending E-mail directly through this server, and since this server
requires AUTH to do so, I am guessing that this is what they are
doing.  I first noticed this about a month ago, although at this moment
I can't guarantee it was the exact same machine at Earthlink that was
leaking the spam.

Here's the bad news about this server...it is a legitimate relay. 
Yesterday's log shows a message that is definitely legitimate that
comes from this server (in addition to about 4 pieces of spam from the
Cyrillic Spammer who encodes subjects in Windows 1251 charactersets and
sends in both English and Russian if this is the guy that I am thinking
it is).  Unfortunately I don't have a copy of that message so I can't
tell if it was relayed from another Earthlink server, or if it was
relayed directly from a client through that server and then to us. 
Unless it is relayed from another server, you can't IPBYPASS it.

Note that there are other Earthlink servers that are also relaying
authenticated spam such as 207.217.120.220, 207.217.120.131,
207.217.120.227, etc.  All of the spam is from this Cyrillic Spammer
guy and it seems to be an issue with their entire mail server network. 
If anyone thinks that there is an easy way to stop this from our
end...think again.  If someone hacks your the AUTH in enough accounts,
you can set up networks of spam zombies to send in low enough volume
that you can bypass their automatic detection of such abuse (if it
exists at present).  In otherwords, it's totally up to Earthlink to
stem this abuse.

In the meantime since it seems to be completely isolated to this one
guy, here's a filter that can be used in JunkMail Pro v1.79i8 or higher:

# HACKEDEARTHLINK v1.0.0

REVDNS        END    NOTENDSWITH    .earthlink.net
MAILFROM    END    CONTAINS    earthlink

SUBJECT        10    CONTAINS    =?windows-1251?b?


This filter will work because he randomizes his Mail From address so it
will frequently be from another domain.  I would consider it to be
quite safe to score high.  The only time you should get a false
positive is when a Earthlink customer relays E-mail that is Windows
1251 encoded through their servers and has configured their mail client
to use a different domain name.  In otherwords, this is about as safe
of a filter as they come.  Let's hope that other spammers are slower in
picking up on the AUTH hacking bandwagon and that ISP's put in place
proper E-mail intrusion detection systems.

Matt







Brad Morgan wrote:

  
Earthlink has for some reason been forwarding spam through this 
server for some time.  I'm not sure what the setup is, but it's
a legitimate Earthlink server and the E-mail originates from a 
spam zombie.

  
  
  
  
I have thought about IPBYPASS'ing this server in order to capture
the real source, but I have yet to confirm if this server is just
used for forwarding or what the case may be.  It could be that 
this is an open relay, a forwarding server, or a full fledged mail
server.  I am guessing the first.

Matt


  
  Can't you use abuse.net's open relay test to determine if its as
simple as an open relay?

I tried and it appears to not be an open relay, but I'm not an
expert at these things so I may not understand what I'm doing.

Regards,

Brad 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] Message header review

[i360 Support]

I have forwarded several spam emails to [EMAIL PROTECTED] but the only response 
I get back is that the email did not originate from their network.
 
Its really annoying that they don't give a 
shit.
 
I would have blocked them if it had not been for 
one of my clients needing email from that server (they have a client that hosts 
with earthlink).
 
Thanks to all for the responses.
 
Heimir
 
 

  - Original Message - 
  From: 
  Matt 
  To: [EMAIL PROTECTED] 
  
  Sent: Thursday, July 22, 2004 4:07 
  PM
  Subject: Re: [Declude.JunkMail] Message 
  header review
  Earthlink has for some reason been forwarding spam through this 
  server for some time.  I'm not sure what the setup is, but it's a 
  legitimate Earthlink server and the E-mail originates from a spam 
  zombie.I have thought about IPBYPASS'ing this server in order to 
  capture the real source, but I have yet to confirm if this server is just used 
  for forwarding or what the case may be.  It could be that this is an open 
  relay, a forwarding server, or a full fledged mail server.  I am guessing 
  the first.Matti360 Support wrote:
  



Can someone help me with the header of this 
message.
 
I think this came from earthlink.net mail 
server.
According to earthlink abuse they can't do 
anything about this type of spam since it did not originate from their 
network.
 
We get porn spam from this segement all the 
time.
 
 
 
 
Received: from 
asmtp-a063f33.pas.sa.earthlink.net [207.217.120.149] by deepspace.i360.net 
with ESMTP  (SMTPD32-7.15) id A94339680150; Thu, 22 Jul 2004 
10:12:03 -0500Received: from 68-235-252-102.atlsfl.adelphia.net 
([68.235.252.102]) by asmtp-a063f33.pas.sa.earthlink.net with asmtp 
(Exim 4.34) id 1BnfBN-00062N-F4; Thu, 22 Jul 2004 08:08:32 
-0700Message-ID: <[EMAIL PROTECTED]>Reply-To: 
"=?windows-1251?B?Y2FtZWxsaWE=?=" <[EMAIL PROTECTED]>From: 
"=?windows-1251?B?Y2FtZWxsaWE=?=" <[EMAIL PROTECTED]>Subject: 
SPAM: 
=?windows-1251?B?QnJpZGdldCBtb25yb2Ugc3Vja2luZyBhIGhhcmQgY29jayB2ZXJ5IGRlZXA=?=Date: 
Thu, 22 Jul 2004 00:56:07 -0400MIME-Version: 1.0Content-Type: 
text/html; charset="windows-1251"Content-Transfer-Encoding: 
7bitX-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft 
Outlook Express 6.00.2600.X-MimeOLE: Produced By Microsoft MimeOLE 
V6.00.2600.X-ELNK-Trace: 
006cdaaeaf6f69a98241270f52c7d65b7e972de0d01da9401ceba94723fb6a47959954e32e1a9354350badd9bab72f9c350badd9bab72f9c350badd9bab72f9cX-Originating-IP: 
68.235.252.102X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]"X-RBL-Warning: 
NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]"X-RBL-Warning: 
BADHEADERS: This E-mail was sent from a broken mail client 
[840a].X-Declude-Sender: [EMAIL PROTECTED] 
[207.217.120.149]X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for 
spam.X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, BADHEADERS, WEIGHT10 
[11]X-Note: This E-mail was sent from asmtp-a063f33.pas.sa.earthlink.net 
([207.217.120.149]).X-RCPT-TO: <[EMAIL PROTECTED]>Status: 
UX-UIDL: 384479918-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] Declude reporting wrong IP... why?

[R. Scott Perry]

I've had a couple of reports that my messages were failing SPF.  I sent a 
message to myself via a loop and am totally confused at the message header.

The message was actually sent from my computer on private IP 192.168.1.177 
to my IMail server at 216.229.87.4.  For some reason Declude reports that 
I sent the message from 216.229.64.74.  That IP is one of our IP's, but 
not at this location and the message never touched that subnet.
What are your HOP, HOPHIGH, and IPBYPASS settings?
Top part of message header shows correct information:
Received: from source ([216.229.87.4]) by exprod6mx94.postini.com 
([12.158.35.251]) with SMTP;
 Thu, 22 Jul 2004 16:09:56 CDT
Received: from office [192.168.1.177] by mail.csimo.com
  (SMTPD32-8.12) id AD281C400BE; Thu, 22 Jul 2004 16:10:00 -0500
Are there any further Received: headers are there?
 X-Declude-Sender: [EMAIL PROTECTED] [216.229.64.74]
X-Note: This message was sent from 216-229-64-74-empty.fidnet.com 
([216.229.64.74]).
Does the IP 216.229.64.74 appear anywhere in the headers?
What version of Declude JunkMail are you running?
   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Message header review

[R. Scott Perry]

Can someone help me with the header of this message.
I think this came from earthlink.net mail server.
According to earthlink abuse they can't do anything about this type of 
spam since it did not originate from their network.

We get porn spam from this segement all the time.
You can always trust the IP address that IMail adds to the E-mail (which is 
normally the top one).  In this case:

Received: from asmtp-a063f33.pas.sa.earthlink.net [207.217.120.149] by 
deepspace.i360.net with ESMTP
  (SMTPD32-7.15) id A94339680150; Thu, 22 Jul 2004 10:12:03 -0500
the IP is 207.217.120.149.  Although it *looks* like it came from 
earthlink.net, you can't be sure from that header.  But looking at the 
reverse DNS entry of that IP:

X-Note: This E-mail was sent from asmtp-a063f33.pas.sa.earthlink.net 
([207.217.120.149]).
shows that it did indeed come from an IP that claims to be an Earthlink 
IP.  It is technically possible that a spammer could forge the reverse DNS 
entry, so you need to check that asmtp-a063f33.pas.sa.earthlink.net has an 
A record of  207.217.120.149, or you can check the IPWHOIS information for 
207.217.120.149.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] bannotify.eml

[R. Scott Perry]

Correction:
Should read "If we want to block all zips, but we want to NOT send an
'attachment blocked' message if the zip is an EZIP, can this be
accomplished with SKIPIFEXT EZIP?"
Correct.
   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] bannotify.eml

[R. Scott Perry]

This is still the 1.79i8 interim that is listed on your site and it's not 
the one that handles the SKIPIFEXT exception.
Thanks for pointing this out -- I'll get that updated.
   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Tagging a mail if its weighted as spam

[R. Scott Perry]

so this
WEIGHT10SUBJECT [Spam]
WEIGHT10HEADER  [This E-mail is likely to be spam; see
http://www.example.com/spam for details]
will put a subject line and a header ?
No.  You can't have multiple actions per test -- to do what you want, you 
would need to create a new test, such as WEIGHT10A, that is identical to 
the WEIGHT10 test (except fort the name).  Then you could have:

WEIGHT10SUBJECT [Spam]
WEIGHT10AHEADER  [This E-mail is likely to be spam; see 
http://www.example.com/spam for details]

and both actions will work together for E-mail that fails the WEIGHT10 test.
   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Message header review

[Brad Morgan]

> Earthlink has for some reason been forwarding spam through this 
> server for some time.  I'm not sure what the setup is, but it's
> a legitimate Earthlink server and the E-mail originates from a 
> spam zombie.

> I have thought about IPBYPASS'ing this server in order to capture
> the real source, but I have yet to confirm if this server is just
> used for forwarding or what the case may be.  It could be that 
> this is an open relay, a forwarding server, or a full fledged mail
> server.  I am guessing the first.
>
> Matt
>
Can't you use abuse.net's open relay test to determine if its as
simple as an open relay?

I tried and it appears to not be an open relay, but I'm not an
expert at these things so I may not understand what I'm doing.

Regards,

Brad 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Declude reporting wrong IP... why?

[Joe Wolf]

I've had a couple of reports that my messages were 
failing SPF.  I sent a message to myself via a loop and am totally confused 
at the message header.  
 
The message was actually sent from my computer on 
private IP 192.168.1.177 to my IMail server at 216.229.87.4.  For some 
reason Declude reports that I sent the message from 216.229.64.74.  That IP 
is one of our IP's, but not at this location and the message never touched that 
subnet.
 
Any ideas?
 
Top part of message header shows correct 
information:
 
Received: from source ([216.229.87.4]) by 
exprod6mx94.postini.com ([12.158.35.251]) with SMTP; Thu, 22 Jul 2004 
16:09:56 CDTReceived: from office [192.168.1.177] by 
mail.csimo.com  (SMTPD32-8.12) id AD281C400BE; Thu, 22 Jul 2004 
16:10:00 -0500
 
Declude JunkMail reports wrong IP address in bottom 
section.  This causes SPF fail:

X-Declude-Sender: [EMAIL PROTECTED] [216.229.64.74]X-Note: This 
message was sent from 216-229-64-74-empty.fidnet.com 
([216.229.64.74]).
 
-Joe
 

Re: [Declude.JunkMail] Message header review

[Matt]

Earthlink has for some reason been forwarding spam through this server
for some time.  I'm not sure what the setup is, but it's a legitimate
Earthlink server and the E-mail originates from a spam zombie.

I have thought about IPBYPASS'ing this server in order to capture the
real source, but I have yet to confirm if this server is just used for
forwarding or what the case may be.  It could be that this is an open
relay, a forwarding server, or a full fledged mail server.  I am
guessing the first.

Matt



i360 Support wrote:

  
  
  
  Can someone help me with the header
of this message.
   
  I think this came from earthlink.net
mail server.
  According to earthlink abuse they
can't do anything about this type of spam since it did not originate
from their network.
   
  We get porn spam from this segement
all the time.
   
   
   
   
  Received: from
asmtp-a063f33.pas.sa.earthlink.net [207.217.120.149] by
deepspace.i360.net with ESMTP
  (SMTPD32-7.15) id A94339680150; Thu, 22 Jul 2004 10:12:03 -0500
Received: from 68-235-252-102.atlsfl.adelphia.net ([68.235.252.102])
 by asmtp-a063f33.pas.sa.earthlink.net with asmtp (Exim 4.34)
 id 1BnfBN-00062N-F4; Thu, 22 Jul 2004 08:08:32 -0700
Message-ID: <[EMAIL PROTECTED]>
Reply-To: "=?windows-1251?B?Y2FtZWxsaWE=?=" <[EMAIL PROTECTED]>
From: "=?windows-1251?B?Y2FtZWxsaWE=?=" <[EMAIL PROTECTED]>
Subject: SPAM:
=?windows-1251?B?QnJpZGdldCBtb25yb2Ugc3Vja2luZyBhIGhhcmQgY29jayB2ZXJ5IGRlZXA=?=
Date: Thu, 22 Jul 2004 00:56:07 -0400
MIME-Version: 1.0
Content-Type: text/html;
 charset="windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.
X-ELNK-Trace:
006cdaaeaf6f69a98241270f52c7d65b7e972de0d01da9401ceba94723fb6a47959954e32e1a9354350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 68.235.252.102
X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]"
X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]"
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail
client [840a].
X-Declude-Sender: [EMAIL PROTECTED]
[207.217.120.149]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.
X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, BADHEADERS, WEIGHT10 [11]
X-Note: This E-mail was sent from asmtp-a063f33.pas.sa.earthlink.net
([207.217.120.149]).
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 384479918


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] Copy To

[Pete McNeil]

On Thursday, July 22, 2004, 2:29:39 PM, Jeff wrote:

JK>  I would like to monitor both incoming and outgoing mail from 1 particular
JK> e-mail address on my domain. What would be the easiest/simplest way of doing
JK> it without the persons knowledge.

Use the 'copy mail to' feature in IMail and then filter the contents.
The feature will send all mail to that accout, so be sure you have
appropriate filtering in place before you go this route.

This should be the simplest way.

_M


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] bannotify.eml

[Dave Marchette]

Correction:  

Should read "If we want to block all zips, but we want to NOT send an
'attachment blocked' message if the zip is an EZIP, can this be
accomplished with SKIPIFEXT EZIP?"

Sorry for the confusion.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Marchette
Sent: Thursday, July 22, 2004 11:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] bannotify.eml


If we want to block all zips, but we want to only send an 'attachment
blocked' message if the zip is an EZIP, can this be accomplished with
SKIPIFEXT EZIP?  

Problem seems to be that if you have BANEXT ZIP and BANEXT EZIP, Declude
still only sees them as zip and not EZIP, and flags them as such and
therefore never skips the EZIP because it does not see it as an EZIP,
just as a ZIP.  

  




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, July 22, 2004 3:07 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] bannotify.eml


>Is there a line I can add to not send this email message that fail
EZIP?

With the latest interim (http://www.declude.com/version/interim), you
can 
add a line "SKIPIFEXT EZIP" to the bannotify.eml file.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in
mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Copy To

[John Tolmachoff \(Lists\)]

Imail copyall account and Imail rules for that account deleting all but to
and from that address.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Jeff Kratka
> Sent: Thursday, July 22, 2004 11:30 AM
> To: [EMAIL PROTECTED]
> Subject: [Declude.JunkMail] Copy To
> 
>  I would like to monitor both incoming and outgoing mail from 1 particular
> e-mail address on my domain. What would be the easiest/simplest way of
doing
> it without the persons knowledge.
> 
> Jeff Kratka
> 
> TymeWyse Internet
> P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417
> tel/fax: (541) 839-6027  -  [EMAIL PROTECTED]
> 
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Copy To

[Jeff Kratka]

 I would like to monitor both incoming and outgoing mail from 1 particular
e-mail address on my domain. What would be the easiest/simplest way of doing
it without the persons knowledge.

Jeff Kratka

TymeWyse Internet
P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417
tel/fax: (541) 839-6027  -  [EMAIL PROTECTED]


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] bannotify.eml

[Dave Marchette]

If we want to block all zips, but we want to only send an 'attachment
blocked' message if the zip is an EZIP, can this be accomplished with
SKIPIFEXT EZIP?  

Problem seems to be that if you have BANEXT ZIP and BANEXT EZIP, Declude
still only sees them as zip and not EZIP, and flags them as such and
therefore never skips the EZIP because it does not see it as an EZIP,
just as a ZIP.  

  




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, July 22, 2004 3:07 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] bannotify.eml


>Is there a line I can add to not send this email message that fail
EZIP?

With the latest interim (http://www.declude.com/version/interim), you
can 
add a line "SKIPIFEXT EZIP" to the bannotify.eml file.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in
mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Message header review

[Roderick A. Anderson]

dig -x
;; ANSWER SECTION:
102.252.235.68.in-addr.arpa. 86286 IN   PTR
68-235-252-102.atlsfl.adelphia.net.

dig -x 207.217.120.149
;; ANSWER SECTION:
149.120.217.207.in-addr.arpa. 86400 IN  PTR
asmtp-a063f33.pas.sa.earthlink.net.

Seems it indicate so.

Rod
-- 

i360 Support wrote:

>Can someone help me with the header of this message.
>
>I think this came from earthlink.net mail server.
>According to earthlink abuse they can't do anything about this type of spam since it 
>did not originate from their network.
>
>We get porn spam from this segement all the time.
>
>
>
>
>Received: from asmtp-a063f33.pas.sa.earthlink.net [207.217.120.149] by 
>deepspace.i360.net with ESMTP
>  (SMTPD32-7.15) id A94339680150; Thu, 22 Jul 2004 10:12:03 -0500
>Received: from 68-235-252-102.atlsfl.adelphia.net ([68.235.252.102])
> by asmtp-a063f33.pas.sa.earthlink.net with asmtp (Exim 4.34)
> id 1BnfBN-00062N-F4; Thu, 22 Jul 2004 08:08:32 -0700
>Message-ID: <[EMAIL PROTECTED]>
>Reply-To: "=?windows-1251?B?Y2FtZWxsaWE=?=" <[EMAIL PROTECTED]>
>From: "=?windows-1251?B?Y2FtZWxsaWE=?=" <[EMAIL PROTECTED]>
>Subject: SPAM: 
>=?windows-1251?B?QnJpZGdldCBtb25yb2Ugc3Vja2luZyBhIGhhcmQgY29jayB2ZXJ5IGRlZXA=?=
>Date: Thu, 22 Jul 2004 00:56:07 -0400
>MIME-Version: 1.0
>Content-Type: text/html;
> charset="windows-1251"
>Content-Transfer-Encoding: 7bit
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook Express 6.00.2600.
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.
>X-ELNK-Trace: 
>006cdaaeaf6f69a98241270f52c7d65b7e972de0d01da9401ceba94723fb6a47959954e32e1a9354350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
>X-Originating-IP: 68.235.252.102
>X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]"
>X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]"
>X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [840a].
>X-Declude-Sender: [EMAIL PROTECTED] [207.217.120.149]
>X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.
>X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, BADHEADERS, WEIGHT10 [11]
>X-Note: This E-mail was sent from asmtp-a063f33.pas.sa.earthlink.net 
>([207.217.120.149]).
>X-RCPT-TO: <[EMAIL PROTECTED]>
>Status: U
>X-UIDL: 384479918
>  
>

-- 
Roderick A. Anderson
Project Manager
Technology Services Management Group 

Spokane WA, 99202

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] bannotify.eml

[Matt]

Scott,
This is still the 1.79i8 interim that is listed on your site and it's 
not the one that handles the SKIPIFEXT exception.

Matt

R. Scott Perry wrote:

Is there a line I can add to not send this email message that fail EZIP?

With the latest interim (http://www.declude.com/version/interim), you 
can add a line "SKIPIFEXT EZIP" to the bannotify.eml file.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail 
mailservers since 2000.
Declude Virus: Ultra reliable virus detection and the leader in 
mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] How can I rescan a message ?

[Brad Morgan]

> > I just took a Eicar virus message and performed the following 
> experiments:
> >
> > 1) Move the Q*.SMD and D*.SMD file to the spool directory.
> >Result:  Message delivered to my Inbox.
> >
> > 2) Move the Q*.SMD to overflow and the D*.SMD file to the spool 
> directory.
> >Result:  Message delivered to my Inbox (faster).
> >
> > I expected case 2 to be scanned by Declude Virus and quarantined again.
> > I'm assuming that it wasn't scanned by Declude JunkMail either (this is
> > a harder experiment for me to perform.  I need to hold some spam for
> > testing).
> >
> > So I think the original question is still unanswered...
> >
> > How do you get a message rescanned by Declude Virus and/or
> > Declude JunkMail?
> >
> > Regards,
> >
> > Brad Morgan
> > IT Manager
> > Horizon Interactive Inc.
> >
> 
> To answer my own question...
> 
> I held some spam so I could perform experiment 2 with a spam 
> message instead
> of a virus message and it was rescanned by Declude JunkMail after 
> the Q*.SMD
> file was placed in the spool\overflow directory.  I examined both the
> dec0722.log and the vir0722.log and it does appear that the 
> message was also
> rescanned by Declude Virus.
> 
> Now to figure out why the Eicar Virus wasn't found the first time 
> I ran this
> experiment.
> 
> Regards,
> 
> Brad
> 
So I ran the experiment again but this time I removed the headers
in the D*.SMD file inserted by Declude the first time around.

It worked!  Declude Virus found the virus again!

So ignore everything I've said in this thread , it works as
advertised.

Regards,

Brad
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Message header review

[i360 Support]

Can someone help me with the header of this 
message.
 
I think this came from earthlink.net mail 
server.
According to earthlink abuse they can't do anything 
about this type of spam since it did not originate from their 
network.
 
We get porn spam from this segement all the 
time.
 
 
 
 
Received: from asmtp-a063f33.pas.sa.earthlink.net 
[207.217.120.149] by deepspace.i360.net with ESMTP  (SMTPD32-7.15) id 
A94339680150; Thu, 22 Jul 2004 10:12:03 -0500Received: from 
68-235-252-102.atlsfl.adelphia.net ([68.235.252.102]) by 
asmtp-a063f33.pas.sa.earthlink.net with asmtp (Exim 4.34) id 
1BnfBN-00062N-F4; Thu, 22 Jul 2004 08:08:32 -0700Message-ID: <[EMAIL PROTECTED]>Reply-To: 
"=?windows-1251?B?Y2FtZWxsaWE=?=" <[EMAIL PROTECTED]>From: 
"=?windows-1251?B?Y2FtZWxsaWE=?=" <[EMAIL PROTECTED]>Subject: SPAM: 
=?windows-1251?B?QnJpZGdldCBtb25yb2Ugc3Vja2luZyBhIGhhcmQgY29jayB2ZXJ5IGRlZXA=?=Date: 
Thu, 22 Jul 2004 00:56:07 -0400MIME-Version: 1.0Content-Type: 
text/html; charset="windows-1251"Content-Transfer-Encoding: 
7bitX-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft 
Outlook Express 6.00.2600.X-MimeOLE: Produced By Microsoft MimeOLE 
V6.00.2600.X-ELNK-Trace: 
006cdaaeaf6f69a98241270f52c7d65b7e972de0d01da9401ceba94723fb6a47959954e32e1a9354350badd9bab72f9c350badd9bab72f9c350badd9bab72f9cX-Originating-IP: 
68.235.252.102X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]"X-RBL-Warning: 
NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]"X-RBL-Warning: 
BADHEADERS: This E-mail was sent from a broken mail client 
[840a].X-Declude-Sender: [EMAIL PROTECTED] 
[207.217.120.149]X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for 
spam.X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, BADHEADERS, WEIGHT10 
[11]X-Note: This E-mail was sent from asmtp-a063f33.pas.sa.earthlink.net 
([207.217.120.149]).X-RCPT-TO: <[EMAIL PROTECTED]>Status: 
UX-UIDL: 384479918

RE: [Declude.JunkMail] How can I rescan a message ?

[Brad Morgan]

>
> The original poster wanted to know how to get a message rescanned
> by Declude
> (Virus and JunkMail).
>
> I just took a Eicar virus message and performed the following experiments:
>
> 1) Move the Q*.SMD and D*.SMD file to the spool directory.
>Result:  Message delivered to my Inbox.
>
> 2) Move the Q*.SMD to overflow and the D*.SMD file to the spool directory.
>Result:  Message delivered to my Inbox (faster).
>
> I expected case 2 to be scanned by Declude Virus and quarantined again.
> I'm assuming that it wasn't scanned by Declude JunkMail either (this is
> a harder experiment for me to perform.  I need to hold some spam for
> testing).
>
> So I think the original question is still unanswered...
>
> How do you get a message rescanned by Declude Virus and/or
> Declude JunkMail?
>
> Regards,
>
> Brad Morgan
> IT Manager
> Horizon Interactive Inc.
>

To answer my own question...

I held some spam so I could perform experiment 2 with a spam message instead
of a virus message and it was rescanned by Declude JunkMail after the Q*.SMD
file was placed in the spool\overflow directory.  I examined both the
dec0722.log and the vir0722.log and it does appear that the message was also
rescanned by Declude Virus.

Now to figure out why the Eicar Virus wasn't found the first time I ran this
experiment.

Regards,

Brad


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] How can I rescan a message ?

[Brad Morgan]

> > > > I have a message that was held as spam a couple days ago
> > > and I want to
> > > > switch to logging mode to determine what in the words
> > > filter it matched,
> > > and
> > > > what the badheaders code was (didn't have warn for
> > > badheaders on this
> > > > domain).
> > > >
> > > > How can I run this message through Declude again? Without having the
> > > message
> > > > resent.
> > > >
>
> When a message is received Declude checks to see if there are any messages
> in the overflow directory.  If there is a message in the overflow
> directory
> and youhave not met the max processes setting Declude will spawn
> additional
> instances to process the messages in the overflow queue.
>
> Here is a better explanation on why and how.
> http://www.declude.com/Articles.asp?ID=130
>

The original poster wanted to know how to get a message rescanned by Declude
(Virus and JunkMail).

I just took a Eicar virus message and performed the following experiments:

1) Move the Q*.SMD and D*.SMD file to the spool directory.
   Result:  Message delivered to my Inbox.

2) Move the Q*.SMD to overflow and the D*.SMD file to the spool directory.
   Result:  Message delivered to my Inbox (faster).

I expected case 2 to be scanned by Declude Virus and quarantined again.
I'm assuming that it wasn't scanned by Declude JunkMail either (this is
a harder experiment for me to perform.  I need to hold some spam for
testing).

So I think the original question is still unanswered...

How do you get a message rescanned by Declude Virus and/or Declude JunkMail?

Regards,

Brad Morgan
IT Manager
Horizon Interactive Inc.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Tagging a mail if its weighted as spam

[ISPhuset Nordic AS]

 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of R. 
> Scott Perry
> Sent: 21. juli 2004 13:00
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] Tagging a mail if its weighted as spam
> 
> 
> >I know it's possible to do this in subject line but I wonder if its 
> >possible to add a line or two in the start of the mail. with a
> >link ot a FAQ of why its marked as spam.
> 
> Yes -- you can use the HEADER action to do that.  For example:
> 
> WEIGHT10HEADER  [This E-mail is likely to be spam; see 
> http://www.example.com/spam for details]
> 


so this

WEIGHT10SUBJECT [Spam]
WEIGHT10HEADER  [This E-mail is likely to be spam; see 
http://www.example.com/spam for details]

will put a subject line and a header ?

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] bannotify.eml

[R. Scott Perry]

Is there a line I can add to not send this email message that fail EZIP?
With the latest interim (http://www.declude.com/version/interim), you can 
add a line "SKIPIFEXT EZIP" to the bannotify.eml file.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.